Finally, CrowdStrike released a full report of what happened and you can find it here. There are quite a few interesting topics there. Firstly we will check what is interesting in this report.

1. “Rapid Response Content is delivered through Channel Files and interpreted by the sensor’s Content Interpreter, using a regular expression based engine”.  If this is a true regular-expression engine, then it is really bad. As you probably know, Windows drivers are typically written in C, and I would never put a C-based regular expression engine into the driver. It is just too risky.

There are multiple issues with regular expression libraries. Firstly, it is hard to prove that it is working correctly. Typically there are many